The University of California’s Audit and Compliance Committee approved its 2025 audit and compliance plan after a staff presentation explaining a risk‑based approach that blends independent audits and advisory work. Committee members asked about research security, federal compliance and the program’s approach to cybersecurity testing.

The presenter, who outlined the pack of materials provided to Regents, said the plans are informed by a detailed risk assessment that reviews institutional data, external regulatory changes and structured interviews with campus and system leadership. “This is an effort to match our limited resources to the highest risk activities,” the presenter said, describing work with campus internal audit directors to identify systemwide priorities.

The plan adjusts the office’s approach to include more advisory service projects—where audit staff partner with managers on improvements and report directly to management—alongside traditional independent audits. The presenter said advisory projects are intended to help management “get ahead of certain issues” through collaborative work rather than strictly independent audits.

Committee members pressed on research security and federal requirements. The presenter warned that federal research rules can require certifications and tracking of foreign funding and that noncompliance could carry penalties, including the potential forfeiture of federal funding. The presenter said audit staff are coordinating with operational teams and that the office includes a cyber auditing team that conducts penetration testing and other reviews. The presenter deferred operational cyber‑security detail to Rachel Nava and Ben Williams and said audit work is performed alongside their teams to “amplify some of the efforts” they have underway.

Motion and vote: A motion to approve the plan was made and seconded. A roll call recorded ayes from Regents Aguayano, Bachelor, Cohen, Elliott, Liebe, Macarecian, Montesantos, Park and Riley and the chair announced Item C‑1 approved.

What the approval does and does not do: The committee approved the audit and compliance plan as presented; it did not initiate specific enforcement actions or finalize investigative reports. The plan directs audit staff to pursue a mix of independent audits, advisory service projects and risk‑targeted cybersecurity reviews, with further details to be developed in collaboration with campus audit directors and operational units.

The committee moved to closed session after approving the plan. Staff said they will return to the committee with results and findings from planned audits and advisory projects, and with updates on research‑security compliance and cyber testing.